Introducing digital forensics
This presentation is the property of its rightful owner.
Sponsored Links
1 / 43

Introducing Digital Forensics PowerPoint PPT Presentation


  • 76 Views
  • Uploaded on
  • Presentation posted in: General

Introducing Digital Forensics. Peter Sommer London School of Economics, UK. Peter Sommer. academic at London School of Economics – Information Systems as opposed to “Computer Science” 1 st degree: Oxford Law first forensic investigation – 1985

Download Presentation

Introducing Digital Forensics

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Introducing digital forensics

Introducing Digital Forensics

Peter Sommer

London School of Economics, UK


Peter sommer

Peter Sommer

  • academic at London School of Economics – Information Systems as opposed to “Computer Science”

  • 1st degree: Oxford Law

  • first forensic investigation – 1985

  • since then: Rome Labs, Cathedral / Cheshire Cat, Buccaneer, murder, fraud, immigration, software and currency counterfeiting, warez, harassment, paedophilia, hacking, infotheft etc

  • Shrivenham MSc , Centrex LE training

  • UK experts have primary duty to the courts


Digital forensics

Digital Forensics

aka

  • Computer Forensics

  • Forensic Computing

  • Digital Evidence


Digital forensics1

Digital Forensics

More than:

  • Investigating computer-related incidents

  • Incident Response

    But:

  • Collecting evidence and building a story that can be used in court – and if necessary lead to a conviction


Digital forensics2

Digital Forensics

Thus:

  • Everything you would need to do while investigating a computer incident

  • Making sure that some-one can test and verify everything you claim

  • Complying with the needs and peculiarities of the law


Digital forensics3

Digital Forensics

We are going to look at these issues mostly via a case study

  • Demonstrates most types of computer-derived evidence

  • Shows how a good complex case is put together

  • Illustrates various legal needs

  • Shows how, after all this, a case may fail


Digital forensics4

Digital Forensics

But first, we need to introduce some legal terminology, give a bit of background ….


Evidence in court

Evidence in Court

Adversarial Criminal Procedure:

As used in US, UK and former UK colonies

  • police investigate; prosecuting authority / DA prosecutes; judge is chairman / enunciator of law; jury decides issues of fact; prosecution and defence arguments presented by lawyers:

  • proof is what is demonstrated before the court (not what “scientists” or “experts” say they believe)


Evidence in court1

Evidence in Court

  • Admissibility (legal rules decided by judge)

    • hearsay, documents, unfairness in acquisition

    • Fed. Rules, 4th Amendment; CALEA, PACE, 1984; CJA, 1988; RIPA, 2000;

  • Weight (issues of fact)

    • what persuades a court is not the same as scientific “proof” - Frye, Daubert, Kuomo Tire


Attributes of good evidence

Attributes of Good Evidence

  • authentic

  • accurate

  • complete


Attributes of good evidence1

Attributes of Good Evidence

  • chain of custody / continuity of evidence

  • transparent forensic procedures

  • accuracy of process

  • accuracy of content

  • explanations


The case study

The Case Study

Rome Labs


Rome labs

Rome Labs

  • March-April 1994 - classic teenage hack of USAF, NASA, Lockheed etc sites

  • Rome Labs, New York, paralysed for nearly 3 weeks

  • “The most serious attack on the US military without the declaration of hostilities”

  • … used in 1996 GAO Report, Congressional “Security in Cyberspace” hearings, etc as an examplar of Information Warfare


Gao report

GAO Report


Rome labs1

Rome Labs

Sources:

  • I was hired by UK defense lawyers (in the English legal system)

  • The evidence before the UK courts

  • USAF investigators

  • Scotland Yard investigators

  • The perpetrators


Introducing digital forensics

  • Important perpetrator: “Datastream Cowboy”

  • USAF investigator recalls IRC session with a “Datastream Cowboy” several months earlier - had provided London, UK, phone number

  • Via Scotland Yard Computer Crime Unit: phone number linked to Richard Pryce, 16 yrs old


R v richard pryce

R v Richard Pryce


Introducing digital forensics

Datastream

Cowboy

Richard

Pryce


Introducing digital forensics

Datastream

Cowboy

The Legal Problem:

How do you prove

the link?

Richard

Pryce


Introducing digital forensics

How the hack

happened


Introducing digital forensics

London

Seattle

Internet

ptsn

ptsn

Bogota


Introducing digital forensics

How the hack

was monitored


Introducing digital forensics

Shell

A/C

Phone

calls, time

duration

IP

Monitor


Introducing digital forensics

How the hack

was monitored:

the evidence


Introducing digital forensics

Target

logs,files

Pryce’s

HDD

ISP

Info, logs

Unix logs,

Monitoring

progs

Target

logs,files

Phone

Logs

Target

logs,files

Network

Monitor Logs


Introducing digital forensics

Target

logs,files

Pryce’s

HDD

ISP

Info, logs

Unix logs,

Monitoring

progs

Target

logs,files

Phone

Logs

Target

logs,files

Network

Monitor Logs

Most of these have date/time stamps ...


Role of defence expert

Role of Defence Expert

Prior to trial -

  • explain evidence to lawyers

  • look for weaknesses

    At trial -

  • assist lawyers

  • (perhaps) give evidence

    • fact & opinion

    • answers must be complete


Role of defence expert1

Role of Defence Expert

  • Acts under instruction - specific instruction:

    “Discard any admissions in interview; show us the weaknesses in the digital evidence …”


Introducing digital forensics

Target

logs,files

Pryce’s

HDD

ISP

Info, logs

Unix logs,

Monitoring

progs

Target

logs,files

Phone

Logs

Target

logs,files

Network

Monitor Logs

No Records !


Breaking the digital evidence

Breaking the Digital Evidence

  • Pryce’s HDD

  • BT Call Monitor

  • ISP Monitored Shell A/c

  • ISP Own Statements

  • USAF Network Monitors

  • Target Records


Breaking the digital evidence1

Breaking the Digital Evidence

Pryce’s HDD

  • 170 MB !

  • lots of hacking tools

  • partial logs of IRC sessions

  • password and IP address files

  • files apparently from some target computers

  • music-related files


Breaking the digital evidence2

Breaking the Digital Evidence

Pryce’s HDD

  • disk imaging - evidence preservation

  • print-outs

  • PII certificate - sensitive files

  • recovered data

  • corrupted files

  • was there more than one source for target password files?


Breaking the digital evidence3

Breaking the Digital Evidence

BT Call Monitor

  • records numbers dialled, time, duration, not content

  • inconsistent print-out


Breaking the digital evidence4

Breaking the Digital Evidence

ISP Monitored Shell A/c

  • ps, w, automated, semi-automated, manual

  • how were evidential print-outs controlled and preserved?

  • team effort - who reports?


Breaking the digital evidence5

Breaking the Digital Evidence

ISP Monitored Shell A/c

  • print-out depends on accuracy of:

    • ISP CyberSpace machine

    • computers hosting monitoring facilities

    • monitoring programs - disclosure

    • human operators

    • continuity of evidence

    • clock timings !!


Breaking the digital evidence6

Breaking the Digital Evidence

USAF Network Monitor

  • monitors IP traffic on sub-net

  • principle is OK, but how achieved?

  • monitoring point(s)

  • quality of program - disclosure

  • continuity of evidence

  • team work


Breaking the digital evidence7

Breaking the Digital Evidence

Target Records

  • freezing of scene

  • continuity of evidence

  • “I recognise ….”

  • honey traps


Lessons from rome labs

Lessons from Rome Labs

  • Hackers invented no new techniques but used existing ones well with great determination and stamina

  • USAF computers

    • poorly secured

    • fixed IP addresses, default passwords

    • little use of CERT etc advisories


Lessons from rome labs1

Lessons from Rome Labs

  • Hackers were often rejected; would have had many more failures with better elementary security

  • US investigators hampered by internal jurisdictional boundaries

  • US investigators had very little training in evidence collection

  • US/UK collaboration was quite good!


Conclusions

Conclusions

  • Digital Evidence alone would have been insufficient

  • Good technical methods alone would not have worked

  • Effects of team efforts

  • Poor evidence continuity

  • Disclosure of methods issues


Introducing digital forensics1

Introducing Digital Forensics

Peter Sommer

London School of Economics, UK


  • Login